On Sat, Sep 09, 2017 at 09:29:45AM -0700, Blibbet wrote: > I apologize if I missed it, but I haven't see any mention of this recent > vulnerability here, excerpts below. > > http://www.kb.cert.org/vuls/id/166743 > > -----snip----- > Vulnerability Note VU#166743 > > Das U-Boot AES-CBC encryption implementation contains multiple > vulnerabilities > > Original Release date: 08 Sep 2017 > > Das U-Boot is a device bootloader that can read its configuration from > an AES encrypted file. For devices utilizing this environment encryption > mode, U-Boot's use of a zero initialization vector and improper handling > of an error condition may allow attacks against the underlying > cryptographic implementation and allow an attacker to decrypt the data. > > An attacker with physical access to the device may be able to decrypt > the device's contents. > > The CERT/CC is currently unaware of a practical solution to this problem. > -----snip-----
So, I mentioned this in the patch that migrated the option to Kconfig and marked it deprecated, and I plan to mention it in the release notes on Monday. But, this option has no in-tree users and I plan to remove the code in the near term, if no one with the relevant background steps up to re-implement it. Thanks! -- Tom
signature.asc
Description: Digital signature
_______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
